Mature IT: It's time for IT departments to enforce grown-up passwords and intelligent monitoring

Organisations have a continuing problem with password management. Users don’t like complicated passwords; helpdesks don’t like resetting forgotten passwords, and managers don’t like seeing them stuck to the PC...

Security spotlight
October 3, 2012

Share

Twitter

Facebook

LinkedIn

Google Plus

Organisations have a continuing problem with password management. Users don’t like complicated passwords; helpdesks don’t like resetting forgotten passwords, and managers don’t like seeing them stuck to the PC monitor.

There’s no way round it, it’s essential to create strong passwords in a world where millions of codes of the most common passwords are already compiled in crackers' word lists. Moreover, today’s readily-available raw computing power means that brute force attacks are getting easier all the time. Because of these two factors passwords really need to be nine characters or more in length, and as random and personal as possible - since recognisable phrases and patterns can be easily cracked.

So how should the IT department help make a secure password that a user will actually remember? Here’s just one method. Used in conjunction with best practices on the infrastructure side, this policy can help simplify things for all everyone: users, helpdesk and management - and enhance security.

It’s a fact that the average user only wants to remember one password for their different online resources. This means our ‘average user’ would much rather use a password that is NOT unique across their sites. What they really want is not to tax their memory and, with a little intelligent password practice, they don’t have to. The key to this is to move the individual away from remembering a password to developing and remembering a syntax instead.

Let’s consider an example. The IT department want users to create a unique yet easily remembered password across three different resources: Outlook, the sales database and a modelling tool, all accessible online. One suggestion to enforce password creation through a syntax is below. However, to ensure security through variation, IT should not enforce just one syntax across the whole company, but should encourage users to create their own, using the below as an example of the process. In this way the individual has to remember:

How a phrase opens

The number of characters in the resource

The number for an offset step

How the phrase closes

In company A the example syntax is set in this way: [open phrase] + [domain-resource] + [extended char] + [close phrase]. As a whole the parts form a single phrase that’s easy to remember. Let’s break this down by step:

Step 1: [openphrase]. Our example phrase is ‘Y0ur', and all person B’s passwords will start with it. This opening phrase could be anything. It could equally be 'Th3' or 'L33', as long as it’s unique to the user and it remains consistent for effective memorising.

Organisations have a continuing problem with password management. Users don’t like complicated passwords; helpdesks don’t like resetting forgotten passwords, and managers don’t like seeing them stuck to the PC monitor.

There’s no way round it, it’s essential to create strong passwords in a world where millions of codes of the most common passwords are already compiled in crackers' word lists. Moreover, today’s readily-available raw computing power means that brute force attacks are getting easier all the time. Because of these two factors passwords really need to be nine characters or more in length, and as random and personal as possible - since recognisable phrases and patterns can be easily cracked.

So how should the IT department help make a secure password that a user will actually remember? Here’s just one method. Used in conjunction with best practices on the infrastructure side, this policy can help simplify things for all everyone: users, helpdesk and management - and enhance security.

It’s a fact that the average user only wants to remember one password for their different online resources. This means our ‘average user’ would much rather use a password that is NOT unique across their sites. What they really want is not to tax their memory and, with a little intelligent password practice, they don’t have to. The key to this is to move the individual away from remembering a password to developing and remembering a syntax instead.

Let’s consider an example. The IT department want users to create a unique yet easily remembered password across three different resources: Outlook, the sales database and a modelling tool, all accessible online. One suggestion to enforce password creation through a syntax is below. However, to ensure security through variation, IT should not enforce just one syntax across the whole company, but should encourage users to create their own, using the below as an example of the process. In this way the individual has to remember:

€¢How a phrase opens

€¢The number of characters in the resource

€¢The number for an offset step

€¢How the phrase closes

In company A the example syntax is set in this way: [open phrase] + [domain-resource] + [extended char] + [close phrase]. As a whole the parts form a single phrase that’s easy to remember. Let’s break this down by step:

Step 1: [openphrase]. Our example phrase is ‘Y0ur', and all person B’s passwords will start with it. This opening phrase could be anything. It could equally be 'Th3' or 'L33', as long as it’s unique to the user and it remains consistent for effective memorising.

Step 2: [domain-resource]. If the IT department is encouraging users to set a password that can be remembered across multiple resources, it makes sense to mask it. One technique would be to obfuscate the first 3 characters of the individual resource. This is for the individual to decide how many characters they use, as long as they remain consistent.

This solves the problem where someone nefarious has one password and then guesses what resource it is tied to. To obfuscate, one technique is a simple 'offset-step' in the resource name. And if all users mask in their own way, a hacker can’t ‘roll them all up’ following the same rules.

So for example the user can step the characters by one - i.e. ’a’ becomes ‘b’,’ b’ becomes ’c’ and so on - and in the process obfuscating the resource name.

Step 3: [extended character]: The hyphen is not optional but not limited to this extended character - it could equally be ‘@’ or ‘!’, but the aim is to enforce an extended character requirement.

Step 4: [close phrase]: Pick a word, e.g. ‘[email protected]’. The end results of following this example syntax is as follows:

So it is readily apparent that this is not complicated, because all a user needs to remember to access their Outlook account is asking themselves “What is ‘my Outlook password’? Such a system is easy to remember, it's built from something someone can remember for every resource. By not using a plaintext common password it enforces that every resource will be different, and complies with complex password criteria. Crucially, it’s difficult for a hacker to unroll everyone’s passwords if they find just one.

The syntax can be simple or complex. For example, here’s one which is simply a pet’s name mixed up backwards with a domain, and the obligatory extended character. Can you find the pet’s name?

€¢eBay: ReABCaSyO!1

€¢Paypal: RPAaCySpOal!1

Such systems are easy to learn, are far more secure than the traditional passwords that most users are wedded to, and don’t cost anything to implement. However, those organisations that require even higher standards of password strength might consider a password manager.

Even so, no password is guaranteed to be 100 percent secure and private. After such password hygiene is put into practice, the best way for an IT department to check on how well they've held up is through intelligent monitoring of the IT infrastructure via Security Information and Event Management (SIEM) tools to flag when a user’s behaviour deviates from the norm.

Making sure all parties with access to your network have only the appropriate rights is a difficult process. The most successful Identity and Access Management (IAM) solutions make use of identity-enriched log events to see what different types of users are actually doing, establishing baselines to detect anomalous, risky activity and improve access governance. If the business can monitor user activity across all accounts, applications, and systems, it enables organisations to understand who is on the network, what data they see and their actions. The result is greater security, better governance, and faster forensic investigations.

The most intelligent solutions combine the broad activity collection and correlation of SIEM with user and role data from identity and IAM and directory technologies. By enriching log events with user information organisations get a complete picture of user activity, including monitoring high risk privileged and shared accounts. Making sure employees, contractors, and third parties have only the access they need is a difficult process. IAM solutions typically used to take a top down ‘role modelling’ approach. Now, using identity-enriched log events, organisations see what different types of users are actually doing, establishing baselines to detect anomalous, risky activity and improve access governance.

But by tacking security from the top and the bottom, organisations can create security in the centre.

[domain-resource]. If the IT department is encouraging users to set a password that can be remembered across multiple resources, it makes sense to mask it. One technique would be to obfuscate the first 3 characters of the individual resource. This is for the individual to decide how many characters they use, as long as they remain consistent.

This solves the problem where someone nefarious has one password and then guesses what resource it is tied to. To obfuscate, one technique is a simple 'offset-step' in the resource name. And if all users mask in their own way, a hacker can’t ‘roll them all up’ following the same rules.

So for example the user can step the characters by one - i.e. ’a’ becomes ‘b’,’ b’ becomes ’c’ and so on - and in the process obfuscating the resource name.

Step 3: [extended character]: The hyphen is not optional but not limited to this extended character - it could equally be ‘@’ or ‘!’, but the aim is to enforce an extended character requirement.

Step 4: [close phrase]: Pick a word, e.g. ‘[email protected]’. The end results of following this example syntax is as follows:

So it is readily apparent that this is not complicated, because all a user needs to remember to access their Outlook account is asking themselves “What is ‘my Outlook password’? Such a system is easy to remember, it's built from something someone can remember for every resource. By not using a plaintext common password it enforces that every resource will be different, and complies with complex password criteria. Crucially, it’s difficult for a hacker to unroll everyone’s passwords if they find just one.

The syntax can be simple or complex. For example, here’s one which is simply a pet’s name mixed up backwards with a domain, and the obligatory extended character. Can you find the pet’s name?

eBay: ReABCaSyO!1

Paypal: RPAaCySpOal!1

Such systems are easy to learn, are far more secure than the traditional passwords that most users are wedded to, and don’t cost anything to implement. However, those organisations that require even higher standards of password strength might consider a password manager.

Even so, no password is guaranteed to be 100 percent secure and private. After such password hygiene is put into practice, the best way for an IT department to check on how well they've held up is through intelligent monitoring of the IT infrastructure via Security Information and Event Management (SIEM) tools to flag when a user’s behaviour deviates from the norm.

Making sure all parties with access to your network have only the appropriate rights is a difficult process. The most successful Identity and Access Management (IAM) solutions make use of identity-enriched log events to see what different types of users are actually doing, establishing baselines to detect anomalous, risky activity and improve access governance. If the business can monitor user activity across all accounts, applications, and systems, it enables organisations to understand who is on the network, what data they see and their actions. The result is greater security, better governance, and faster forensic investigations.

The most intelligent solutions combine the broad activity collection and correlation of SIEM with user and role data from identity and IAM and directory technologies. By enriching log events with user information organisations get a complete picture of user activity, including monitoring high risk privileged and shared accounts. Making sure employees, contractors, and third parties have only the access they need is a difficult process. IAM solutions typically used to take a top down ‘role modelling’ approach. Now, using identity-enriched log events, organisations see what different types of users are actually doing, establishing baselines to detect anomalous, risky activity and improve access governance.

But by tacking security from the top and the bottom, organisations can create security in the centre.